Oct. 11, 2015
AWS Security groups are a perfect way to manage security, they provide a powerful firewall. However there are some basics rules you need to follow. By not implementing strict security controls, the security of an entire application may be compromised.
When you create a new instance through salt, it requires that you specify a default security group. In order to avoid any security breach, create a default group that only allows ssh
Groups of application are usually using the same ports. For example, if you are running multiple web servers, they will most likely use the ports 80/443. Create a security group named “web servers” and apply it to all your instances of this type.
Since you can apply multiple security groups to an instance, why not having different level of security group. Create a base security group containing all your basics rules you need (ssh or rpc, etc), and then apply a different security group depending on your application
Usually back-end services aren’t accessible from outside compared to front-end services. Make sure to create a base group for those 2.
Usually, people tend to allow everything in outbound. However, you aren’t protected from a malicious services. You need to list the external services you need to access and forbid every other ports. In most of the cases, you will just need: ssh, http(s), ftp, ntp, dns and vpn.
Sometimes, we need to create some exceptions for specific services. However, instead of updating an existing group and affecting every members of this group (and loose in security), you should create a dedicated group for this instance’s exceptions and apply to the instance in addition of the others security groups.